Config files with sensitive data

Which files of DOpus configuration contain sensitive data?
I'm trying to use Dropbox to easily import/export settings on my two computers.

Clicking import&export takes too much time so I prepared a BAT script which uses WinRAR to archive files and restore them (copy to user data folder).
I'm concerned about Dropbox security issues and I don't want to share files that might contain sensitive data, like ftp passwords.

So far I excluded ConfigFiles\ftp.oxc and ConfigFiles\ftpdef.oxc. Are there any other files that might be dangerous if someone got them?
Now I thought about any caches and labeled items as it might provide information about file names on my disk. But they seem to be in /localappdata, which I don't plan to export/import.

Are there any files in /localappdata that are worth sharing between two computers? As I scoured this folder there are mainly files related to specific computer (like MRU lists or open listers).

You can automate the backup without using WinRAR or copying files by hand. You can also put a password on the result, so (assuming the password is strong) it doesn't matter if someone gets access to the file on dropbox:

Prefs BACKUP=all TO /desktop/PrefsBackup PASSWORD abc123

If you don't want to see the progress dialog, add the QUIET argument.

(It encrypts the data but not the filenames, so some of the names of e.g. Layouts, Folder Tab Groups will be readable. You could zip & encrypt the resultant .ocb file instead if you're worried about that.)

I didn't know about this command but I see several disadvantages.

  1. WinRAR gives me an option to type password when archiving. I don't need to store it anywhere (file or menu/toolbar item), as contrast to DOpus backup.

  2. I had a security issue (passwords leak) when synchronizing DO config with Dropbox a year ago and I'm really worried about storing passwords in such places (even encrypted). This is why I would most appreciate to find a way to completely exclude sensible data from backup file(s).

  3. And, in fact, I don't need to synchronize FTP sites. I use one computer to work and the other for "home purposes" so I don't see much sense in transferring sites from work to home computer. And I don't see an option to exclude ftp address book from backup.

You can use {dlgstring} to prompt for a password when creating the backup.

But even with the password in the command and not using {dlgstring}, the password would not be readable on your dropbox share anyway because it would be inside the encrypted config backup. The only place the password would be visible would be on your computer, where the whole config is (obviously) readable anyway so the password wouldn't protect much (except historic config backups, I guess).

But if you want more granular control of what's backed up than what the command gives then, yes, using another method to create the backup is required. You still don't need to use WinRAR (Opus can create archives itself) but you can use it if you want.

i would also be interested in wich files contain sensitive or not portable information. i want to share my config with friends that have Opus too or wan to try it

Define what you consider "sensitive" and we can tell you which files are involved. The FTP address book is /dopusdata/ConfigFiles/ftp.oxc.

I think that any data containing passwords, login information or local paths can be considered sensitive.
I'm afraid there's no way to be sure that there's no sensitive data hidden by user in a button or menu, like button with command containing login information or some kind of password. But certainly there are some places where sensitive data is usually stored.

The only place where it's usually stored is the FTP addressbook.
If you've added passwords to your buttons or menus that's really your problem :slight_smile:

This is what I wanted to know.

But when sending someone my config files I would also exclude labeled items

  1. it might be security issue as someone might find out what kind of files you are viewing :slight_smile:
  2. usually there's no sense in sending someone your labeled items, unless they are common files or folders like c:\windows.

\AppData\Roaming\GPSoftware\Directory Opus\ConfigFiles\foldercolors.oxc

If you're worried about that kind of thing, it'd make more sense to locate and send just the parts of the config you need (and that they actually want), rather than do the reverse and find the parts of the config you don't want.

Details about local file paths will be all over parts of the config, and people aren't going to want all your favorites and other stuff.

I don't think sharing entire configs ever makes sense, at least unless they are specially crafted to be good defaults.

OTOH, if it's for backup purposes you can encrypt the whole thing and not worry about it.